parameterized query with wildcard

Andrew Kluthe andrew at ctech.me
Tue Jul 28 12:18:26 EDT 2015


Should have read, *proper escaping*.

On Tue, Jul 28, 2015 at 11:17 AM Andrew Kluthe <andrew at ctech.me> wrote:

> Does revDataFromQuery do any sanitizing/proper to prevent me from sneaking
> extra SQL into your search box like an injection style attack, or does it
> just plop whatever you give in there no questions asked? Just curious. I
> have always been spoiled by SQLYoga or rolled my DB interfaces up into API
> servers of some kind.
>
> On Tue, Jul 28, 2015 at 11:09 AM Dave Kilroy <dave at applicationinsight.com>
> wrote:
>
>> Mike, assuming you are searching the db with parameter pSearchTerm, try
>> something like this:
>>
>>
>> put "%" & pSearchTerm & "%" into tSearchTerm
>> put "SELECT * FROM foo WHERE bar LIKE :1" into tQuery
>> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
>>
>>
>>
>>
>>
>>
>> -----
>> "The difference between genius and stupidity is; genius has its limits."
>> - Albert Einstein
>> --
>> View this message in context:
>> http://runtime-revolution.278305.n4.nabble.com/parameterized-query-with-wildcard-tp4694407p4694419.html
>> Sent from the Revolution - User mailing list archive at Nabble.com.
>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>



More information about the Use-livecode mailing list